Exclusive: Why businesses shouldn’t rely on a single cloud vendor

Recently IT Brief had the opportunity to talk to Ed Jennings, COO of Mimecast about multi-cloud and the cost of downtime.

To start off with can you tell me a bit more about yourself and your experience in the industry?

I joined Mimecast in August 2015 as Chief Operating Officer where I’m responsible for leading the global marketing, sales and services teams. Prior to Mimecast, I was responsible for delivering the global marketing strategy for cloud-based application security firm Veracode as Chief Marketing Officer.

My experience in Software-as-a-Service (SaaS) and security, however, started when I was Chief Executive Officer at Copanion, a SaaS workflow solutions provider. I also served as General Manager at ADP where I was responsible for the company’s SaaS-based compliance business.

Why do you believe a majority of businesses transitioning to the cloud rely on a single vendor?

A majority of businesses do not rely on a single vendor. Most have dozens or hundreds of cloud service providers as part of their IT portfolio. These range from some of the largest cloud providers such as Amazon Web Services and Microsoft Office365 to smaller cloud-based service providers.

However, when businesses transition from adopting legacy applications to cloud-based applications, securing these applications and data are no longer on-premise, which can be concerning for many organisations.

While some security controls exist within the cloud services themselves, it’s critical organisations also work with a specialised cloud security provider to implement independent security services to ensure optimum efficiency and protection is achieved.

Organisations should regularly review business functions that are supported by a single vendor or platform and identify those technologies that are business critical. Knowing this enables organisations to build in resilience from a security, service assurance and data assurance perspective for those vital few.

What are some of the major issues related to only relying on one vendor?

Operational dependency on a single service provider for security, data management, and service resilience creates business risks. It’s inevitable that services will fail from time to time and IT leaders need to ensure they are prepared for it by not outsourcing responsibility to a lone cloud service.

When outages occur, they are disruptive, but the consequence are worse when the downtime is caused by a cyber attack. If organisations rely on a single vendor the price tag of downtime – when it occurs – can be expensive.

According to Gartner, the average cost of IT downtime is US$5,600 per minute, which adds up to well over US$300,000 per hour. And if you consider that the average downtime Australian organisations experience following a ransomware attack is three days, the financial damage can quickly add up.

No organisation should trust a single vendor without an independent cyber resilience and continuity plan to keep connected and prepared during unplanned, and planned, outages. All organisations need to deeply consider the downstream effects of losing a critical service due to technical failure or human error.

Loss of critical business services such as email are often underestimated and can have a detrimental impact on productivity levels, customer relationships and business reputation.
How can businesses better prepare themselves for potential cyber breaches and cloud downtime?

There has never been a more important time for organisations to seriously consider implementing a cyber resilience strategy to secure all business-critical IT services. Transitioning services from on-premise to the cloud has many economic and operational benefits, however preventing malicious attacks is not one of them.

The good news is that the IT operational best practices and security control frameworks that have been in use for years, pre-cloud, apply in the cloud era. The only differences are how these practices and controls are implemented.

Third-party cloud providers are well-positioned to provide various types of security controls, backup and recovery, and independent continuity services to help organisations recover from cyber attacks or periods of downtime that impact their cloud-based applications and services.

Given the scale, and dedicated security teams of these cloud providers, smaller organisations, or often larger organisations, are able to access greater security and better uptime than what can be realistically achieved on-premise.

Resiliency in layers is key to business continuity. Testing and planning regularly will also ensure that when organisations are hit with an outage that the impact of downtime is minimal, and they can be up and running as soon as possible.
What would the optimal balance between cloud and security look like for businesses?
Organisations should never have to choose between using cloud services or securing applications in the cloud. It’s possible to achieve both.

Organisations need to remember when they transition their applications and data to the cloud, they don’t neglect their security posture, instead it’s important they view it as an opportunity to enhance it.

Organisations can reinvest the funds they save from moving to the cloud into enhancing their business continuity and disaster recovery plan.